VPN / Host Network

[PaulWoitaschek]

First of all, thanks for building Cilicon!

Is there currently a way to share the host network? We have connected the host machines to our VPN but the Vm seems to not share the host network and therefore isn't able to reach our Gitlab instance.

[Marcocanc]

Hi Paul, there might be, but since it's not a use-case for us we will probably not spend any resources on this. We're open to contributions though! Here's the documentation for the network aspect of the virtualization framework.

[PaulWoitaschek]

Would it be possible to utilize the preRun step? I imagine a scenario where you add a VPN credentials file to the home dir, and in the config, Cilicon allows you to run arbitrary scripts in the context of the new virtual machine - so users can use that to setup the VPN connection before Cilicon tries to register as a Gitlab runner.

[Sherlouk]

Writing here more for my own sanity so I can refer back to it later, but this will require changes to the network configuration most likely to support bridged networks which gives direct access to the host. One challenge appears to be the need to have the com.apple.vm.networking entitlement (which I'm awaiting approval from Apple for). There's a good guide from Mark Sowell which explores how to do this - snippets of which can be reused for Cilicon. Will keep folks updated whether or not this adventure works 👍

[Sherlouk]

Continued to investigate into this. The bridged network configuration is easy to change, though it does break the lease logic (in that the IP returned from /var/db/dhcpd_leases is not accurate).

Performing an arp -a does find the correct IP (or go to the Settings app within the VM itself which returns the same value) - this allows the SSH connection to be completed and for scripts to be run. Without setting up a shell process to run that command, I'm unsure if there's a better way to check for that.

I have a rather unique VPN configuration and so far I've not been able to get it to work - but I don't think that's related to the code just yet (will need to verify once I can wire myself into the network in a few weeks).